I have done URL filtering with .htaccess (using learning and generator), however I am still concerned that any POST request can be submitted to the PHP even there is only one POST form on the website, and it's not file upload.

I would like make Apache filtering file upload POST requests, so it never gets to PHP process.

I have just installed mod_security on Ubuntu 12 however at the moment I am clueless on how to do it properly.

This is to secure PHP from remote exploits using e.g. PHP file upload code, so in this case I would accept only POST with two fields: login and password, each has to be checked before reaching PHP that they are 16 characters long, there are no other variables etc.

Same for the Host: and Cookie, I would like to filter it the way that it blocks multiple remote exploits like SQL Injection etc.

The thing is that PHP always is processing data via POST and GET. If I could filter out the whole POST by a filter (which takes the header in, and then the rest of the stream in parts), I can make sure, that my login server is secure against PHP exploits.

It is confined with AppArmor, to isolate from other processes. Now my problem is that from this login server has all the tokens which are granting security to the all data. Now I need to make sure that the token is being given only with valid username and password, as well it's impossible to breach the with the most recent exploit being just developed on the next thread.
Since this is only single REST call, it is very easy to filter only one POST request at the application level and maybe it would be even woth filtering it on another process, but this only creates more questions and no answers, because it's not easy to develop such server which will handle many connections, do safe checks and so on.

I run standard LAMP system and Fast-CGI, and all I want is to make the login secure.

Tokens are in MySQL database, as well logins and passwords. There are many logins and passwords, e.g. Host: field is used as login to obtain a random Cookie which grants access to website.

Login server creates the security schema for each user, which is copied to another servers, and used by MySQL to restrict data. So therefore I need to make it really extra secure because of PHP, and I got this previously abused in 100 possible ways.

The passwords are checked against dictionaries, so it's resilient to brute force.

Also Apache is restricted from getting MySQL access, it's the PHP with access, there is a password file and the secret key.

Also another thing is that I dont trust the PHP code, I need to assume it is backdoored, and there is also some remote shell lying around the sub folders, so I need to assume that only limited traffic comes to this server.

I dont want to put anything in front of it, as I already have firewall, router, and anything like this is very often easy to by-pass.

With some PHP running for 5 years unpatched, such filter would prevent a serious disaster, that the login page would be replaced with some malware, or something like this, as the login is meant to be secure, and actually prove that fact, that it is, and not because something else runs in front of it.

The PHP has to parse unfiltered user submitted data which can be used to run exploit and lead to information disclosure, which is the case for PHP file upload code now for 8 years. With filtered POST and GET I can secure PHP from the exploits like this.
–
Andrew SmithJul 19 '12 at 18:20

Do you want to filter POSTs or file uploads?
–
schroeder♦Jul 19 '12 at 18:21

I want to filter POSTs, so e.g. I want only one kind of POST query to go thru, e.g. with just login and password fields, which must be alphanumeric and max 16 characters, and every other post to be rejected.
–
Andrew SmithJul 19 '12 at 18:21

Then sanitize the POST input on the scripts that need it? If your other PHP files don't process POSTS, then you're covered there. I'm still unsure what needs to be done.
–
schroeder♦Jul 19 '12 at 18:24

Allows to hook external command to read from stdin and write to stdout.

For login server it is ideal solution, that small C app can simply check the header (via environment) and body, and strip it with everything what is not matching the pattern without bothering with Apache API at all, as well it is much easier to do, and C app overhead is very low compared to PHP.

Because your focus is stopping the code before it reaches your PHP script, I think your best course is a Web Application Firewall.

But, I don't think you need it from your description. Sanitizing your inputs will prevent the things you are concerned about, but it does require that the PHP script process the incoming data (POST data, hosts, cookie).

Many thanks! I uses few of them, but none of these actually did filtering of POSTs at that time. However I am looking to do it via little C code for Apache server. I could develop this but I am not sure what API to use, like mod_filter and how to compile / build so it reads the config from .htaccess file too
–
Andrew SmithJul 19 '12 at 19:12